RAT My Demise

Hi all,
I have a positive ID. Doing a "full system scan" I got a "Positive ID RAT: My Demise 1.0 Dropper Program Files / Enzip / enzip.sfx" I tried using `Go Back` and went back 2 days, did another scan with TDS3 it was still there.( it has never showed before when I have done scans with TDS3 (not full system scan) Norton System Works 2003 (fully updated) I have Wormguard installed, also Reg Protecter. Yesterday I noticed that my sygate firewall icon disappeared from the system tray, so I disconnected my cable modem. I then Installed Zone alarm Pro trial version, so that at least I had a firewall. So I have removed Enzip using the ADD / REMOVE in control panel. When I did a full system scan this morning it showed Positive ID in Norton recycled, see below, what is this trojan?
what do I do now?

 

Hi tutankamon, Please send a zipped copy of enzip etc to submit@diamoncs.com.au ASAP - Whilst zipped they can do no harm.
Download todays TDS update and run a full system scan with all scanning options enabled. If still there then use the submit menu item to send to DCS. Remember that TDS does scan inside of zipped folders.
If you have sytem restore there may be a copy of the file in a restore point.
Do another scan and if the thing shows again disable Sys restore. Reboot and then create a new system restore point and scan once again.

HTH Pilli.

 

Don't forget to send that password stealing thing too, please.

There might be something started, so you might like to create and post a AutostartViewer log or HJT log if it still comes back after Pilli's advices.
It could be something in the last database update too, of course detecting code which is not in an intended nasty (others call that false positives).
For your own second opinion you might like to go as well to www.kaspersky.com/remoteviruschk.html and online check the files (you can zip them all together in one zip as long as the size is under 1mb) -- i use it rather often there myself!

 

Hi Pilli,
I cant send you acopy of ENZIP as I removed it using the ADD / REMOVE program in the control panel.
The trojan is now located in the Norton recycled bin.
Is it safe there? Should I empty the bin? can I zip, and send the file to you from the Norton recycled bin?

 

Maybe you should change your passwords as well.
Dolf

 

Not sure about Norton, maybe another poster may be able to help you there - Sorry

 

This was a false positive on a few self extractors due to the similarity of the dropper used by the trojan in question. It was quickly fixed up for todays update many hours ago, apologies for the scare (please do download and update your databases soon though to confirm a non detection)

Edit: If your firewall disappeared hopefully only the GUI application CRASHED rather than being shut down. You should send an ASViewer log ASAP to gavin@diamondcs.com.au - do you use ProcessGuard ?

 

Hi Gavin,
No I do not use Process Guard as I am running on windows ME. I have emptied the Norton recycled bin, I have removed Enzip completely, I have installed Zone Alarm Pro (trial) I have cancelled my credit card, I have altered my password for my e mail, I have not had a nice day. I will now download the latest, latest update.

 

I see that port.pkf.exe -- was this left after registering PE ? I only have a port.pkf there.

Any reactions on the passwordstealer in the tools folder yet? You did send in that one too didn't you? Or is that part of the dropper story?

The enzip is not clear to me in this story? Is that the name of the sygate firewall or do i miss something completely?

Hope you get the credit card back soon, but might not be a bad idea to change them occasionallhy if you use them on internet. Somebody ever posted to have only little credit on them and after that use another one, and even using the giftcards we are spammed with on a daily basis with all kind of strange user names on them to avoid theft as much as possible. It surely seems to help.

 

tutankamon - Your experience is precisely why someone shouldn't automatically go about un-installing programs or deleting files when they receive an alert off of a new database.

It's the main reason I suggest having more than one anti-trojan program - so you can cross-check results before taking action. If you don't get a "positive detection" on both, it's a pretty good indication that you're dealing with a FP and should immediately contact the software maker with all the information involved - before you delete/un-install anything.

I'm sorry you had a bad day because of a false positive (I know what that's like). Pete

 

Hi Spy1,
Thanks for the post. I had a few beers last night, a good nights sleep, and things dont look as bad today. I have downloaded Enzip (a freeware file zip/ / unzip program) and reinstalled it. My new credit card will be with me in a couple of days, so everything should be ok. What other trojan program do you suggest, as a back up to TDS3?

 

Hi Jooske,
The `password stealing thingy` was a demo program, and was not a threat. The double extention in Port Explorer is this not normal? if not, what should I do to correct it?

 

Hi Tut,

Not normal, the port.pkf should not have the .exe extention.
Port.pkf in my PE folder is 6KB -
It would be interesting to know what size your port.pkf.exe is and if you also have a port.pkf file in your PE folder

 

Hi Pilli,
It is easier to show than to explain.

 

and

 

and finaly

 

Please would you zip it up and send a copy to submit@diamondcs.com.au -

I have attached an image of my folder for you to compare. Providing PE works properly when the file is zipped I believe that you could safely delete after sending a copy to DCS that is

 

Pilli, i guess --if you are talking about the port.pkf.exe in your last posting-- it is the self extracting keyfile for PE, so i don't see a real need to delete it, but no real need to keep it either, if you keep a copy of the keyfile and the registration email savely on a diskette or burned on a CD.


Tut, no matter what the passdump.exe thing is, a demo or a tool whatever, TDS detected it as a positive so i do hope you did submit that one too so even if it would be innocent it enables Gavin to refine detection in the databases. Thanks a lot!

 

Jooske, I must admit I never had a port.pkf.exe file, only port.pkf, probably because as beta testers we received our keys as a .zip if I remember correctly

Anyway at least we can see PE's main folder list for reference

 

Hi Jooske,
I have zipped the "leaktest demo" and submitted it. I will now move the "port pkf.exe" onto floppy then delete the original from the port explorer folder, correct?

 

Hi Tut, That would be good, but all you only need to copy the port.pkf file to a floppy just in case you have to re-format your hard drive for any reason in the future.
If you have any other DCS products you could also add their keyfiles.

 

This is the one i mean i took from your own screenshot, the leaktest is known, no problem with that at all. I ask you all the time to please submit the passdump.exe file. even if there is nothing wrong with it, it helps the refining of the databases. submit@diamondcs.com.au
Thanks.

 

I think you just need to rename port.pkf.exe back to port.pkf - it never WAS an exe file It comes as PORT.ZIP with port.pkf inside

 

Yes - that's even in the instructions that you receive when you get the keyfile, isn't it? (Re-naming it if it has a double-extension like that). Pete

 

Hi Gavin,
I have removed port pkf.exe, I already have a file port pkf. everything seems fine.